TidBITS#592/13-Aug-01

Want to carry your MP3 collection with you? Travis Butler compares the Archos Jukebox with the previously reviewed Nomad Jukebox. Security is on Glenn Fleishman's mind now that the WEP privacy protocol used by Apple's AirPort and other 802.11b wireless networking devices has been shown to be easily broken. In the news, Microsoft appeals the monopoly ruling to the Supreme Court, Apple discontinues KidSafe, and Maxum releases PageSentry 4.0.

APS Tech -- 800/395-5871 -- <sales@apstech.com>
Burn a full CD in less than five minutes with the APS CD-RW
16x10x40 FireWire Plus. FireWire and USB ports let you easily
connect to all recent Macs. Order at: <http://www.apstech.com/>

WinStar Northwest Nexus. Visit us at <http://www.nwnexus.com/>.
Internet business solutions throughout the Pacific Northwest.

Sustworks Suite: Save $105 off our total network solution!
Get IPNetRouter, IPNetSentry, IPNetMonitor and four IPNetTuner
licenses for just $149 ($254 retail) from Sustainable Softworks
Limited time special offer! <http://www.sustworks.com/tb/>

easyDNS: No Static IP#? No Problem! With easyDNS's world class
Dynamic DNS Service. Run FTP, email & web servers even without
a static IP#. Use your present domains or register a new one.
easyDNS: the way things should work. <http://www.easyDNS.com>

Apple Discontinues KidSafe; Poll Asks Why -- People relying on Apple's selection of child-friendly Internet services and the KidSafe extension for restricting access to other sites will have to turn to another service. Apple said it discontinued KidSafe due to low customer usage, though it's unclear why people chose not to use the service. Rather than us guessing, though, take a look at the TidBITS home page for this week's poll, which asks for your opinion of KidSafe - the results may reveal why too few people used it. If you've used KidSafe, you can remove it from your Mac by deleting the KidSafe extension from the Extensions folder and the KidSafe Sherlock plug-in from the Internet Search Sites folder. KidSafe's cancellation follows on the heels of iReview's demise last February. [ACE]

PageSentry 4.0 Watches From Mac OS X -- Maxum Development has released the latest version of their server monitoring and management utility. In short, PageSentry constantly monitors an Internet server and performs some action (sends you email, pages you, runs an AppleScript script) should the server fail to respond. (I'm currently using an older version to reboot my IPNetRouter Mac automatically every few hours when one of its Ethernet cards freaks out and loses track of the Internet connection.) PageSentry 4.0 now comes in both Carbon and Classic versions for compatibility with System 7.1 through Mac OS X. New features include enhanced statistics, additional details in the Status window, sorting of sentries, the capability to suspend testing at specific times, and improved Web reporting. PageSentry 4.0 comes in 4 versions that allow varying numbers of sentries, ranging from the $95 PageSentry OneSite (5 sentries) to the $595 PageSentry ISP (500 sentries). [ACE]

Microsoft Appeals Monopoly Ruling to Supreme Court -- One month after an appeals court upheld that Microsoft Corporation is a monopoly and engaged in anti-competitive practices (see "Breaking Up is Hard to Do" in TidBITS-586), Microsoft has appealed the antitrust case to the U.S. Supreme Court. In its appeal, Microsoft argues that the appeals court ruling should be overturned because U.S. District Judge Thomas Penfield Jackson was biased against the company and should have been disqualified from the case. The appeals court strongly rebuked Judge Jackson for his comments to the media during the penalty phase of the Microsoft trial, but did not find any instance of actual bias in Jackson's decisions. At the same time, Microsoft has asked the appeals court that currently has the antitrust case to postpone any action until the Supreme Court decides whether or not to hear Microsoft's appeal.

The U.S. Supreme Court is under no obligation to hear Microsoft's appeal and is unlikely to take up the now four-year-old case or overturn the earlier appeals court decision. Thus, Microsoft's action is widely seen as a delaying tactic to extend litigation of the antitrust trial well past the expected ship date of Windows XP, which, like Microsoft's bundling of Windows and Internet Explorer, integrates even more previously separate functionality into the Windows operating system. [GD]

Palm and ODBC Support in Microsoft Office 10 -- A miscommunication during my discussions with Microsoft about the two features missing from the initial release of Microsoft Office 10 led to some incorrect information in last week's article about the forthcoming office application suite.

In short, both Palm synchronization and ODBC support are slated for inclusion in Office 10, but they'll appear as free add-ons that arrive some time after Office 10 itself ships. After apologizing for any confusion the miscommunication may have caused readers, Kevin Browne, General Manager of Microsoft's Macintosh Business Unit, wrote:

"Microsoft in fact remains very committed to the ODBC API, as well as to ensuring that customers can continue to connect their Microsoft Entourage for Mac email/PIM program with Palm OS-based handhelds. Since delivery of specific components needed to enable these two features did not align with our planned ship date for Office 10, we will not include these capabilities in the box. However, we will release free add-on packs that provide these features, subsequent to retail availability of Office 10."

Kevin also noted that the MacBU is interested in talking with people who need ODBC capability to make sure they're designing it to meet real-world requirements and impress its importance on Apple. If you have thoughts about ODBC support in Office 10, contact me at <ace@tidbits.com> and I'll redirect you to the appropriate person at Microsoft. [ACE]

AirPort security is dead. Not the airline terminal kind, but the built-in variety found in Apple's AirPort technology and other 802.11b (also known as Wi-Fi) wireless networking hardware from many different manufacturers. Although security experts have warned for months that gaping holes in the Wireless Equivalent Privacy (WEP) protocol rendered it unsafe for serious use, two academic papers released this month put the nails in the coffin.

WEP was supposed to ensure a first line of attack against data sniffing. Because 802.11b devices send traffic wirelessly, anyone within range can intercept this traffic. If the traffic is sent without WEP encryption, simple packet sniffer software can grab packets out of the air and turn them back into email messages, Web pages, and so on. (EtherPEG, a program developed at MacHack in 2000, sniffed graphics off Web pages being transmitted to Web browsing attendees.)

If you enabled WEP by entering a passphrase (AirPort) or encryption key (most PC systems), only other systems with that key can access the network. It turns out, however, that WEP's underlying algorithm - the way in which the encryption system is implemented - is extremely weak. The two recent papers show that a key can be extracted with no knowledge of the networks after only a few minutes of watching network traffic. Encryption algorithms have to rely on a huge number of non-guessable, non-repeatable chunks of data passing by that would require either unreasonably large amounts of interception or impossible computation to break. The common algorithm used by WEP turns out to rotate a small number of combinations overlaid with an identical pattern of network headers.

The first paper was written by three authors including Adi Shamir, the "S" of the influential RSA encryption algorithm, an early approach that led to commercial systems. Their paper describes logical weaknesses that allow key cracking through passive sniffing of a network. (The paper is not yet online, but an EE Times story documents it well.) The second paper is a practical discussion of successfully implementing the attack; it came out just a week after a draft of the first paper.

What To Do -- Most serious wireless advocates, including the industry consortium WECA (Wireless Ethernet Compatibility Alliance, of which Apple is a member), have urged users with sensitive data to employ an additional encryption layer on top of the now-minimal protection offered by WEP. This advice also holds true for users or systems that use no WEP protection, including virtually all of the public networks (free and for-fee) spreading around the country, and now at over 500 Starbucks outlets.

Corporations typically use virtual private networks (VPN) which use PPTP (Point-to-Point Tunnelling Protocol) or IPSec (Internet Protocol Security) to encrypt traffic and pass it seamlessly from a user's laptop or remote computer over the Internet through the company's firewall and onto the local network.

Individual users may want to try using SSH (Secure Shell) and SSL (Secure Sockets Layer) products, both of which enable secure encryption of connections travelling over insecure networks. Only a few SSH- and SSL-capable programs are readily available on the Macintosh, though more may be coming for the Unix-based Mac OS X, such as Stalker Software's industrial strength mail server, CommuniGate Pro. We're all familiar with SSL from the Web: secure sites (like online retailers) use SSL to manage encrypted connections between your browser and the site. Less typical, but increasingly available, are SSL plugs into more familiar software like Eudora. With an SSL-equipped mail server, you can use Eudora without passing your name and password or incoming and outgoing email in plain text.

SSH was designed to replace Telnet, by allowing remote, secure access to a command line on a Unix or similar system. The free NiftyTelnet 1.1 SSH and MacSSH support SSH for Telnet-style connections, and F-Secure offers a $120 SSH Macintosh client that can communicate securely with Internet services tunneled through the F-Secure SSH Server for Unix or Windows NT/2000. Under Mac OS X, the free OpenSSH has already replaced standard Telnet access to the Unix shell with SSH, but SSH could also be used more broadly to "tunnel" traffic to POP mail servers or through proxies that would offer end-to-end encryption from your machine to the destination server.

All of these security concerns are predicated on the idea that someone wants your data, either indiscriminately (such as a sniffing in a public place with wireless access) or specifically (breaking into your home or company network). Most home users have nothing to fear, because even though the attack is fast and relatively simple for someone with the appropriate hardware, software, and networking skills, it's unlikely to be employed indiscriminately against private individuals in their homes. Quite simply, the standard email and Web browsing activities that comprise the majority of normal Internet traffic just aren't sufficiently interesting, so the bad guys aren't going to have much interest in sniffing wireless network traffic.

The biggest concern of working on an open wireless network (or one someone has cracked) is that passwords you send for email, FTP, Telnet, or non-SSL Web sites - such as those stored in the Keychain or Internet Explorer's password management system - can be swiped relatively easily. Having passwords stolen not only puts your data at risk, it also potentially opens your computers up to be used as zombies in denial of service attacks or as relays for hiding the attacker. The best protection for your passwords is to use programs that encrypt passwords whenever possible, to change passwords frequently, and to use different passwords for different services (using the same password for your POP email as your Unix login makes it more likely someone could break into the Unix account).

Stay tuned, since I plan to look into the topic of security on the Macintosh in a future issue of TidBITS. If you're dying to know more right away or want a book-length discussion, check out Peachpit Press's just-published Internet Security for Your Macintosh by Alan Oppenheimer and Charles Whitaker.

Portable MP3 players have now been around for a couple of years. The first and second generation of players were based on flash RAM, which is tiny, battery-thrifty, and convenient, but extremely limited in terms of play time. Back in January of 2001, I reviewed Creative Labs' Nomad Jukebox (see "Portable MP3: The Nomad Jukebox" in TidBITS-562), one of the first players that uses a small hard disk to store songs instead of flash RAM, which extended play time up to 100 hours of music.

I loved the concept, and the Nomad Jukebox had a number of good qualities. Unfortunately, it also had a couple of glaring flaws that kept me from wholeheartedly recommending it: working with the thousands of songs the player can hold was cumbersome unless it was hooked up to your computer, and it was glacially slow at times. The $500 list price was also a sticking point, but that's since dropped to $300, making the Nomad Jukebox a far more attractive proposition. Sadly, Creative Labs hasn't fixed the software flaws I noticed, so I've also been looking at alternatives, such as the Archos Jukebox 6000.

Archos Technology isn't well known in the Macintosh market, but they've exhibited portable storage products at the last few Macworld Expos, and at Macworld Expo in July 2000 they showed a mock-up of a hard disk-based MP3 player. By Macworld Expo in January 2001 they had a working unit, named the Archos Jukebox 6000, and in the months since then it has begun showing up in retail stores. When Best Buy put it on sale for $200, I decided to give it a whirl.

Hardware Design -- Like the Nomad Jukebox, the Archos Jukebox 6000 uses a 6 GB laptop hard disk to store music (a 20 GB model is also available), four rechargeable AA NiMH batteries for power, and USB to connect to your computer. The Archos is significantly smaller than the Nomad; where the Nomad is about the size of a portable CD player, the Archos is about the size of a portable cassette player - half the size of the Nomad, and small enough to fit into a pocket. The controls are simple: a pair of buttons and a four-direction navigation disk. I think Archos tried to pack a few too many features onto those buttons - I would have preferred a few extra dedicated controls for functions like volume - but on the whole I'd say the unit is well-designed.

I see only two significant flaws in the hardware design:

The USB connector on the Archos is a Type A rectangular socket, which is normally only supposed to be used for a master USB device like a computer or a hub; peripherals are supposed to use the square Type B socket. Although USB A-to-B cables are readily available, the USB A-to-A cables the Archos requires are difficult to find. The Archos comes with one A-to-A cable, I wanted to leave extra cables plugged in at home and work. I never found one at retail, even in computer superstores like CompUSA and Micro Center, and eventually I had to order some from an online store.

Although the Archos shipped with two sets of rechargeable batteries, these should be considered as user replaceable rather than user swappable. The batteries fit in rows on either side of the controls, the ends fitting under the padded plastic caps at the corners of the unit. Removing the batteries involves prying outward with a screwdriver blade while trying to lift up on the cover. Prying the covers away from their catches requires a fair amount of force, and after just three swaps the slots for the pry-blade were chipped and scarred. (The padded caps make it a little harder to fit the unit in your pocket, but they're only a minor nuisance.)

I've listened to the Archos through headphones and hooked up to external speakers, and it sounded good to me both ways (although notably quieter than the Nomad through external speakers). However, I freely admit that I'm no audiophile and probably wouldn't notice problems others might. In general operation, the Archos is quite speedy, and I haven't run into any of the dramatic delays that cripple the Nomad at times. Battery life seems quite good, perhaps a bit longer than the Nomad's: I can typically get a day's use at work on a single charge, though that's not continuous usage.

Overall, while I don't think the hardware is as polished as the Nomad Jukebox, the Archos Jukebox 6000 is sturdy and well-built.

User Interface -- The Archos feels simpler and less sophisticated than the Nomad, which is not necessarily a disadvantage: sometimes simpler translates to faster and easier. For example, the Nomad reads the song library when you turn it on and builds a song database with the ID3 tags for Artist, Album, and Genre, letting you search on them. The Archos does not, but the Archos starts up much faster than the Nomad.

The Archos offers a single main menu, with options for Volume, Bass/Treble controls, Play Mode (once/repeat/shuffle/scan), Language (English/French/German), Hard Disk (space used/remaining), Diagnose (checks disk for directory corruption), Firmware (version check), External (MP3 or line in), and Contrast (adjusts the LCD display). Accessing the menu is simple and quick. I'd also like to see a setting for adjusting the sleep setting; the Archos sleeps after 40 seconds of idle time, regardless of power source, and that's often too short.

Loading Songs -- You can load songs onto the Nomad Jukebox only through an MP3 software plug-in that came with the now-defunct SoundJam MP, is currently supported by iTunes, and appears to also be supported by the new Audion 2.5. You must use your MP3 program to copy and manage the Nomad's library of songs. Although using MP3 software gives you some helpful tools for working with songs, it also has annoying limitations as the only way to manage your player.

In comparison, the Archos Jukebox 6000 appears to the Mac as just another PC-formatted USB hard disk. After you install the Archos USB drivers, the Jukebox 6000 pops up on the desktop as a disk when you plug it in, and you can simply copy folders of MP3s to it. It doesn't care one whit what MP3 software you use on the Mac.

I like this approach; it's less fuss to manage than even the best plug-in for an MP3 program, and it gives you more control over organization. Songs on the Nomad can only be organized by the Album, Artist, and Genre tags, unless you use playlists; thus I often had to resort to kludges like changing the Genre tags on a set of songs I wanted to group together. The Archos, by contrast, lets you create your own folder layout, grouping songs however you like. You can even copy non-MP3 files and folders to its hard disk, which gives it a further use as a battery-powered portable storage device.

Emulating a hard disk also lets the Archos work better as an MP3 peripheral for your Mac. The SoundJam and iTunes plug-ins for the Nomad allow you to control the Nomad from the computer, which is easier and more powerful than running it from the built-in controls. Unfortunately, the Nomad's music doesn't play through the Mac's audio system, so you'll either have to add a separate set of external speakers for the Nomad or borrow the ones you have plugged into your Mac. Neither solution is optimal. But because the Archos is just a hard disk, you can use your favorite Mac MP3 player to play songs from it through your Mac speakers.

Unfortunately, this hard disk approach also has some downsides. You can copy ordinary files and folders to the Archos's hard disk (it displays only folders and MP3 files when you're browsing its contents on the LCD display), but these folders can clutter the directory listings. Also confusing is the way it also shows the Mac OS's invisible folders, along with the invisible folders File Exchange creates to hold Macintosh file system information on a PC hard disk.

Those problems are mostly annoying, and at worst, confusing for novice users. But there's another problem that's much worse and which is exacerbated by a near-fatal error in the manual that's corrected only in the ReadMe file and the support section of Archos Web site - a package insert or sticker in the manual would have been welcome.

Because the Archos's hard disk mounts on the desktop, you can use Erase Disk to format it as a Mac disk. The manual halfway encourages you to do so, saying that you won't be able to use it as a disk on the Mac unless you use File Exchange or format it as a Mac volume. Unfortunately, formatting it as a Mac disk keeps it from working as a MP3 player because the firmware that reads the disk doesn't recognize a Mac-formatted disk. You can partially recover from reformatting by using the Finder's Erase Disk command to format the disk as a 5.5 GB DOS disk, something not mentioned in the ReadMe file (which suggests hooking to a PC to reformat). To complete the recovery and re-enable all functions, you must download the firmware update file from the Archos Web site and copy it to the Archos's hard disk. This fragility is the biggest problem with treating the Jukebox 6000 like a hard disk; I found this out the hard way when some of my playlist-building experiments corrupted the directory and forced a reformat.

Despite these concerns, I prefer being able to treat the Archos as a normal hard disk to using the Nomad via MP3 player plug-ins. If Archos can become more aware of the Mac and clearly explain these issues in a Mac-friendly way, they'd be most of the way to a solution.

Finding and Playing Songs -- The Nomad Jukebox and the Archos Jukebox 6000 are polar opposites in the ways they let you find and play music. The Nomad practically demands you create playlists on your computer; browsing the songs manually is cumbersome. Manual browsing is far easier on the Archos, but the current Mac version of the bundled MusicMatch software won't let you create playlists in a format the Archos can use, leaving you fiddling with other programs.

The Nomad is based around a play queue. When you select a playlist or play songs manually, those songs are loaded into the play queue. This approach is quite flexible; it lets you set a list of songs to play, then plays them while you browse the library for others. Unfortunately, browsing with the built-in controls is a real chore (see my earlier review of the Nomad Jukebox for details).

Browsing for songs on the Archos can be much easier, because you can break up your library into manageable chunks and set up a sensible folder hierarchy. However, that's the only organization you have; you can't search for songs by any of the MP3 information tags like Artist or Album, and it lists files alphabetically by the name of the MP3 file instead of the Song Name information tag. Despite this limitation, I prefer it to the Nomad's approach because being able to create my own organization is more valuable than being able to search through near-unmanageable amounts of data in the MP3 information tags.

The actual process of browsing through your song library in the Archos is easy, if repetitive. You start with the display showing the first item at the top level of the hard disk and skip through the items there one at a time until you find the folder you want. Then you select that folder and repeat the process until you find the song you're looking for. This process would be easier if the Archos used a multiple-line song display like the Nomad's; the Archos has a two-line display with one line reserved for status information, and a single line simply doesn't provide enough context for optimal navigation.

Unfortunately, the Archos is less flexible in playing songs. In Normal play mode, after playing the selected song in a folder, the Archos continues through the folder in alphabetical order, stopping at the last song in the folder. That's it. If you put an album's tracks in a folder, you must prefix filenames with track numbers to play them in track order; otherwise, they'll be played alphabetically. (I've written an AppleScript script for SoundJam that renames files by the order in a SoundJam playlist, which I'm putting up as-is.)

Since the Archos is playing the song you see in the interface, you can't look elsewhere in your library while you listen; moving in the folder tree stops play, and you can't pick up where you left off without browsing back. The Archos desperately needs a play queue like the Nomad's; with that addition, its manual play system would be near-perfect.

Playlist Support -- Playlists are a bit more primitive on the Archos than on the Nomad; instead of being a globally accessible list, Archos playlists are simply files stored in the folder hierarchy, that you browse to as you would a song file. This in itself isn't a serious handicap, but the included MusicMatch Jukebox doesn't create playlists in the standard Windows .m3u playlist format, which is all the Archos understands.

The .m3u format is actually just a list of DOS-style file paths, saved as a DOS text file. Fortunately, a programmer at the Mac game company Green Dragon Productions has written a program called MacEmThreeYou, which creates an .m3u playlist from a folder of MP3 files dropped on it. With a text editor capable of working with DOS text files, like BBEdit, you can cut-and-paste to make your own playlists out of songs from different folders. Just be careful that the playlists you copy from all start from the same point in the folder hierarchy, as MacEmThreeYou starts all file paths from the folder you dropped on MacEmThreeYou instead of the top of the folder hierarchy.

I've whipped up another quick-and-dirty AppleScript script for SoundJam that uses the full version of BBEdit 6 (I haven't tested it with earlier versions) to build an .m3u playlist from a SoundJam playlist; it's available with the other SoundJam script above. With these tools, playlists become quite usable on the Jukebox 6000. Although Archos links directly to MacEmThreeYou from their Mac Jukebox Support page, I wish they would provide something like these tools with the unit.

No Nirvana Yet -- I still haven't found the perfect MP3 player. The Archos Jukebox 6000 has a different set of strengths and weaknesses than the Nomad Jukebox , but it still has notable shortcomings. On the whole, I can live with the Archos's limitations better than I did with the Nomad's, but at least part of that is my personal working habits. But after reading my experiences, I hope you have enough information to judge which player would best fit your needs.

Non-profit, non-commercial publications and Web sites may reprint or link to articles if full credit is given. Others please contact us. We do not guarantee accuracy of articles. Caveat lector. Publication, product, and company names may be registered trademarks of their companies. TidBITS ISSN 1090-7017.